Kali Linux

packetsifterTool : A Tool To Aid Analysts In Sifting Through A Packet Capture (Pcap) To Find Noteworthy Traffic

packetsifterTool is to perform batch processing of PCAP data to uncover potential IOCs.
Simply initialize PacketSifter with your desired integrations (Virus Total, Abuse IPDB) and pass PacketSifter a pcap and the desired switches and PacketSifter will sift through the data and generate several output files.


Note Please run AbuseIPDBInitial.sh and VTInitial.sh prior to using their corresponding switches or the integrations will not work


05/27/2021
PacketSifter has been revamped to allow a more streamlined interaction with the user. Simply download the new updated packetsifter.sh, run ./packetsifter -h and learn how to properly use the new PacketSifter!

How It Works

Simply pass PacketSifter your pcap to analyze along with your desired flags and let PacketSifter do the work for you!

Example:

root@ubuntu:~# ./packetsifter -i /tmp/testing.pcap -a -r -v

Command Line Options

OPTIONS:

  • -a   enable abuseipdb lookups of IP addresses in DNS A records
  • -h   print help
  • -i   input file [Required]
  • -r   resolve hostnames in pcap [Can result in DNS queries to attacker infrastructure]
  • -v   enable VirusTotal lookup of exported SMB/HTTP objects

Requirements

tshark – https://tshark.dev/setup/install/

Output

Currently, PacketSifter generates the following pcaps:

  • http.pcap – All conversations containing port 80, 8080, or 8000
  • smb.pcap – All conversations categorized by tshark dissectors as NBSS, SMB, or SMB2
  • dns.pcap – All conversations categorized by tshark dissectors as DNS
  • ftp.pcap – All conversations categorized by tshark dissectors as FTP

Currently, PacketSifter generates the following text files:

  • IOstatistics.txt – Protocol Hierarchy and Input/Output broken up in 30 second intervals (useful to find potential beaconing)
  • IPstatistics.txt – Overall stats to/from endpoints over IP and individual conversations over IP
  • TCPstatistics – Overall stats to/from endpoints over TCP and individual TCP conversations broken down. <> This file can contain a large amount of information. It is recommended to use less or grep for a conversation in question.
  • http_info.txt – Statistical data about HTTP conversations
  • hostnamesResolved.txt (optional) – Resolved hostnames observed in pcap. <> This can result in DNS queries for attacker infrastructure. Proceed with caution!!
  • SMBstatistics.txt – Stats on commands ran using smb or smb2
  • dnsARecords.txt – DNS A query/responses
  • dnsTXTRecords.txt – DNS TXT query/responses
  • errors.txt – trash file

VirusTotal Integration output text files (all optional):

  • httpHashToObject.txt – Text file containing md5 hash to object pairing for reference
  • httpVTResults.txt – Text file containing results of md5 hash lookup of http objects via VirusTotal API
  • smbHashToObject.txt – Text file containing md5 hash to object pairing for reference
  • smbVTResults.txt – Text file containing results of md5 hash lookup of smb objects via VirusTotal API

AbuseIPDB Integration output text files (optional):

  • IPLookupResults.txt – Text file containing IP Geo-location + IP reputation results

Currently, PacketSifter generates the following tar.gz files:

  • httpObjects.tar.gz – HTTP objects observed in pcap. <> There could be a lot of HTTP objects and you can potentially extract malicious http objects depending on the pcap. Use with caution!!
  • smbObjects.tar.gz – SMB objects observed in pcap. There could be a lot of SMB objects and you can potentially extract malicious SMB objects depending on the pcap. Use with caution!!

VirusTotal Integration

PacketSifter can now perform hash lookups via VirusTotal API of exported objects found via SMB/HTTP.

Steps to configure PacketSifter with VirusTotal integration:

  1. Ensure you have jq (https://stedolan.github.io/jq/download/) installed.

root@ubuntu:~# apt-get install jq

  • Ensure you have curl installed.

root@ubuntu:~# apt-get install curl

  • Download the new version of packetsifter.sh and the new script VTInitial.sh
  • Run VTInitial.sh in the same folder as packetsifter.sh and supply your 64 character alphanumeric VirusTotal API Key when prompted
  • For instructions on how to obtain a free VirusTotal API Key https://developers.virustotal.com/reference

Successful output of VTInitial.sh is shown below:

 Run PacketSifter with the -v flag to enable VirusTotal lookups of exported HTTP and SMB objects.

Successful output of VirusTotal integration and subsequent generated httpVTResults.txt / smbVTResults.txt shown below:

AbuseIPDB Integration

PacketSifter can perform IP Geo-location + IP reputation lookups of IP addresses returned in DNS A Records.

Steps to configure PacketSifter with AbuseIPDB integration:

  • Ensure you have jq (https://stedolan.github.io/jq/download/) installed.

root@ubuntu:~# apt-get install jq

  • Ensure you have curl installed.

root@ubuntu:~# apt-get install curl

  • Download the new version of packetsifter.sh and the new script AbuseIPDBInitial.sh
  • Run AbuseIPDBInitial.sh in the same folder as packetsifter.sh and supply your 80 character alphanumeric AbuseIPDB API Key when prompted.
  • For instructions on how to obtain a free AbuseIPDB API Key https://www.abuseipdb.com/register

**AbuseIPDB free API keys have a limit of 1000 lookups a day**
Successful output of AbuseIPDBInitial.sh is shown below:

  • Run PacketSifter with the -a flag to enable lookups on DNS A records via AbuseIPDB.

Successful output of AbuseIPDB integration and subsequent generated IPLookupResults.txt shown below:
**Confidence Score is on a 0-100 percent confidence scale**

R K

Recent Posts

cp Command: Copy Files and Directories in Linux

The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…

6 days ago

Image OSINT

Introduction In digital investigations, images often hold more information than meets the eye. With the…

6 days ago

cat Command: Read and Combine File Contents in Linux

The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…

6 days ago

Port In Networking

What is a Port? A port in networking acts like a gateway that directs data…

6 days ago

ls Command: List Directory Contents in Linux

The ls command is fundamental for anyone working with Linux. It’s used to display the files and…

6 days ago

pwd Command: Find Your Location in Linux

The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…

7 days ago